Overview
Urchin 5 ships with an embedded Apache webserver that provides access to the web-based Urchin administration and reporting functions. The Apache webserver shipped with Urchin is built with SSL support, although it is not enabled by default. Per the following security advisory:
several vulnerabilities in the OpenSSL SSL/TLS library could allow an unauthenticated, remote attacker to cause a denial of service.Impact on Urchin Customers
Beginning with Urchin 4.100, the Apache webserver shipped with Urchin has included OpenSSL. All versions of Urchin from Urchin 4.100 through Urchin 5.501 include a version of OpenSSL that is vulnerable to this denial of service attack.
This issue was addressed in Urchin 5.600, which shipped with an Apache 1.3.29 server using OpenSSL 0.9.d. Customers are encouraged to upgrade to Urchin 5.600 or later.